fix: Refresh endpoint returns new refresh_token + bump access TTL to 4h

The refresh endpoint only returned access_token, causing the frontend to
set refreshToken=undefined after first refresh — breaking the entire
token chain. Now returns both tokens (rotating refresh). Access token
default bumped from 15min to 4h (14400s) for practical server setup
sessions. Also fixed empty license_key for super admin via DB update.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

backend-nest/src/config/configuration.ts

@@ -9,7 +9,7 @@ export default () => ({
   },
   jwt: {
     secret: process.env.JWT_SECRET || 'change-me',
-    accessExpirySeconds: parseInt(process.env.JWT_ACCESS_EXPIRY_SECONDS || '900', 10),
+    accessExpirySeconds: parseInt(process.env.JWT_ACCESS_EXPIRY_SECONDS || '14400', 10),
     refreshExpirySeconds: parseInt(process.env.JWT_REFRESH_EXPIRY_SECONDS || '604800', 10),
   },
   encryption: {

backend-nest/src/modules/auth/auth.service.ts

@@ -161,22 +161,12 @@ export class AuthService {
         throw new UnauthorizedException('User not found');
       }
 
-      // Generate new access token
+      // Generate new token pair (rotating refresh tokens)
-      const accessToken = await this.jwtService.signAsync(
+      const tokens = await this.generateTokens(user);
-        {
-          sub: user.id,
-          email: user.email,
-          username: user.username,
-          is_super_admin: user.is_super_admin,
-        },
-        {
-          secret: this.configService.get<string>('jwt.secret'),
-          expiresIn: this.configService.get<number>('jwt.accessExpirySeconds') || 900,
-        },
-      );
 
       return {
-        access_token: accessToken,
+        access_token: tokens.access_token,
+        refresh_token: tokens.refresh_token,
       };
     } catch (error) {
       throw new UnauthorizedException('Invalid refresh token');